Ruby creators warn of serious flaws
The Ruby programming language, which has become popular as the basis for web 2.0 sites such as Twitter, contains serious security flaws that could allow attackers to take over an organization's web server, according to the Ruby development team.
The "disturbing" flaws, which were disclosed on Friday, could affect nearly any typical Ruby-based web application, according to Thomas Ptacek, founder of security firm Matasano.
The five bugs affect Ruby version 1.8 up to 1.8.7-p21 and version 1.9 up to 1.9.0-1, according to the Ruby development team.
Users can remedy the problem by upgrading to a patched version of Ruby, developers said, with patches available on the Ruby language site.
Popular websites such as Twitter, Scribd, Hulu and the Facebook application Friends for Sale use Ruby, along with the Rails framework, to deploy sophisticated features.
At least three of the published vulnerabilities are easily exploitable and allow normal Ruby code to corrupt the memory of the standard interpreter MRI, Matasano's Ptacek said in an advisory on Friday.
"They involve integer handling errors in the native code backing Ruby's Array, String, and Bignum classes," Ptacek wrote. "These are core classes in Ruby, and don't depend on the libraries or extensions that programs load."
He said organizations running Ruby-based web applications should upgrade their servers as soon as possible.
"Why is this so disturbing? These vulnerabilities are likely to crop up in just about any average Ruby web application," he wrote. "The conditions under which the vulnerabilities are exploitable depend on the Ruby programs you are running. But don't gamble. Update as soon as you can."
» posted by abennett
Techworld.com
Symantec Backup Exec 12 and Backup Exec System Recovery 8 deliver industry leading Windows data protection and system recovery. Download this whitepaper to find out the top reasons to upgrade and how to get continuous data protection and complete system recovery.
Data and system loss — from a hard drive failure, malicious attack, natural disaster, or simple human error — can happen anytime. Don’t leave your business vulnerable. Make sure you have a secure recovery strategy in place. Symantec's latest backup and system recovery technology can efficiently restore critical applications, individual emails and documents and even restore your entire system in minutes in the event of a loss.
Businesses face a growing challenge to ensure that the IT environment is properly protected. Backup Exec 12 integrates with other applications in the Symantec family of products, to complement your current data protection strategy, keep your data securely backed up and make it recoverable when you need it most.
Crimeware: Understanding New Attacks and Defenses
By Markus Jakobsson, Zulfikar Ramzan
Published Apr 6, 2008 by Addison-Wesley Professional. Part of the Symantec Press series.
Enter now! | Official rules | Sample chapter
Securing VoIP Networks: Threats, Vulnerabilities, and Countermeasures
By Peter Thermos, Ari Takanen
Published Aug 1, 2007 by Addison-Wesley Professional.
Enter now! | Official rules | Sample chapter
